Wells Fargo Fiasco Lays Bare a Broken Identity System

Jon Corzine taught us we can’t trust people with our money. Marissa Mayer showed we can’t trust otherswith our emails. John Stumpf and Carrie Tolstedt have now demonstrated we can’t trust anyone with our identities.

See what I did there? I personalized the problem. I bet it hooked you in, but it’s a nasty trick that can lead to scapegoating and witch hunts without finding any lasting solutions. The people aren’t the problem here. Or at least, they’re not the whole problem.

Let’s start over: The Wells Fargo scandal is an example of what happens when a system requires you to effectively hand over the keys to your identity to strangers as if you were giving them your car keys.

News broke Wednesday that California’s attorney general, Kamala Harris, is investigating Wells Fargo on allegations of criminal identify theft. It’s unclear how strong a legal case Harris may have. But even if she’s grandstanding, she’s made an important connection.

As most readers know, more than 5,000 branch employees created roughly 2 million sham accounts under the watch of former Chief Executive Stumpf and former retail chief Tolstedt. Regardless of whether that conduct met a legal definition of identity theft, it clearly involved the unauthorized use of personal information. (A spokesman for Wells Fargo would say only that the bank is cooperating with the request for information,)

To be clear, I’m not making an argument for prosecuting anyone. This isn’t another post about who should be fired or whose pay should get clawed back or “ZOMG why hasn’t anyone gone to jail yet?” Leave that to the tarantulas.

Harsh punishment might deter banker misbehavior. And properly aligned sales incentives would surely go a long way in preventing debacles like this. But a fundamental vulnerability remains: We have no control over our personally identifiable information. We have to trust countless third parties to protect it and not to abuse it. And when someone attempts to misuse our data, whether it’s a cyberthief or a bank employee desperate to meet sales quotas, we don’t find out until after the fact, if at all.

That’s a broken system.

Rather than having to hand out car keys, individuals should have the power to give valet keys to their identity. A valet key can’t open the trunk or the glove department, and it allows the car to go only so fast. Personal data likewise should be shared on a conditional basis, with the limitations on what can be done with it enforced by contract, cryptography, or some combination.

Note that I am not calling for a government mandate. In Europe and the U.K., regulators are pushing banks to open up their data through application programming interfaces, so customers can easily port their information from one bank to another. It’s a worthy goal for those who value competitive markets, but a distasteful means for us on this side of the Atlantic. The change should come from the bottom up. So if any Washington regulators are reading this….PROMONTORY IS HIRING! OK, now that they’ve all left the room, we can continue the discussion.

Technologists have been working to fix the problem of identity for years. Their proposed solutions have been variously called personal clouds, user-centric identity, or most recently self-sovereign identity. As an aside, this software industry term, “user,” is a lot more appealing than that economist’s word we all use, “consumer.” A user controls her destiny. A consumer sounds like a 400-pound glutton being fed through a tube. As the banking industry moves into the digital world, perhaps it should start thinking of retail customers as users rather than consumers.

Back to identity: Banks can play a constructive role here. There are well over a dozen startups and open-source software projects designing identity solutions that would restore some measure of control to the user. Some of them are seeking to partner with banks. More broadly, any new system will have to be interoperable, meaning a digital identity would be widely usable. That requires coordination and the adoption of common data standards, which, as many bankers know, is like herding cats. It’s an opportunity for leadership.

A few forward-thinking banks, such as U.S. Bank, BBVA and USAA, have been exploring opportunities to themselves act as identity providers. They have to know everything about their customers under anti-money-laundering regulations, but other businesses don’t. Netflix, for example, may need to know that someone is old enough to view adult content, or located in a jurisdiction where certain material is not under copyright restrictions, but it doesn’t need a birthdate or a street address. Instead, the user’s bank could vouch that he meets the parameters, without burdening Netflix with personal information that hackers would want. The bank might even be able to charge Netflix a fee for this. Banks in other countries already provide similar services.

Of course, if banks remain custodians of this information, they will have to control internal access to it tightly – more tightly than Wells Fargo did, to say the least. By further undermining trust in financial institutions’ ability to safeguard anything above the FDIC insurance limit, Wells may have set back bank ID a ways in the U.S. The challenge for the industry now is to once again rebuild that trust – and either be part of the solution or stay out of the way.